Cyber Posture

CVE-2025-63666

CriticalPublic PoC

Published: 12 November 2025

Published
12 November 2025
Modified
17 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 28.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Tenda AC15 v15.03.05.18_multi) issues an authentication cookie that exposes the account password hash to the client and uses a short, low-entropy suffix as the session identifier. An attacker with network access or the ability to run JS in a victim…

more

browser can steal the cookie and replay it to access protected resources.

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

Directly mitigates replay of stolen authentication cookies by requiring session authenticity mechanisms such as nonces, timestamps, or cryptographic checksums to prevent unauthorized reuse.

IA-5 Authenticator Management good match
prevent

Prevents exposure of the account password hash in client-accessible cookies by mandating protection of authenticator content from unauthorized disclosure.

SI-2 Flaw Remediation good match
prevent

Remediates the firmware flaw issuing insecure cookies with exposed hashes and low-entropy session IDs through timely identification, reporting, and correction.

Security SummaryAI

CVE-2025-63666 is a critical authentication vulnerability (CVSS 3.1 score of 9.8) affecting the Tenda AC15 router running firmware version v15.03.05.18_multi. The flaw stems from the issuance of an authentication cookie that exposes the account password hash directly to the client, combined with a short, low-entropy suffix used as the session identifier. This violates proper access control principles (CWE-284), enabling unauthorized persistence and reuse of credentials.

An attacker requires only network access to the router or the ability to execute JavaScript in a victim's browser to exploit this issue. By stealing the cookie—via network interception or client-side script injection—the attacker can replay it to impersonate the victim and access protected administrative resources, potentially leading to full compromise of the device including high confidentiality, integrity, and availability impacts as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Mitigation details and further technical analysis are available in the primary advisory reference at https://github.com/Remenis/CVE-2025-63666.

Details

CWE(s)
CWE-284

Affected Products

tenda
ac15 firmware
15.03.05.18

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
attack.mitre.org →
Why these techniques?

Vulnerability exposes MD5 password hash in an insecure cookie (no HttpOnly/Secure/SameSite), enabling session cookie theft via network/JS (T1539), offline cracking of exposed hash (T1110.002), and replay of stolen cookie for authentication (T1550.004).

References